Future malware might offer real functions to avoid detection

Malware may begin to offer genuinely helpful functionality in the future, in order to “fly under the radar” and fake legitimacy before striking, according to Professor Giovanni Vigna from the University of California.

In a talk at IP Expo, Vigna outlined what he expected to be the next logical step in the evolution of malware, and the game of cat and mouse played out between hackers and security researchers. With malware’s effectiveness hampered once it has been spotted and catalogued by anti-virus software, it makes sense for the code to hide its true intentions until the program can be reasonably sure that it is on a real consumer or business computer, rather than in a lab environment. Or as BoingBoing puts it: “malware that keeps its head down on new infection sites, cautiously probing the operating system to try and determine if it’s running on a real computer or if it’s a head in a jar, deploying all kinds of tricks to get there.”

These ‘tricks’ come in many shapes and forms – it can be as simple as looking for mouse movement suggesting a real person is in control of the computer, but it’ll go deeper too, searching the BIOS and DLL listings of the registry for clues that the host system might be hunting for new malware. “The stakes are high – if the malware has got this far, with its hash unlisted in the popular security databases, it has everything to lose by disclosing its target behavior in a virtual environment”, explains The Stack.

To avoid detection, it makes sense to hide its true intentions behind genuinely useful properties. Gizomodo highlights some examples of how this might work: “some of the system calls might make sense coming from a defragger but not from a text editor, though—and its quirks like that the malware of the future will seek to exploit.”

“In some cases, it may just be easier for the malware to do useful stuff on our computers – actually cleaning up our hard disks, say – before it later attacks, in order to seem genuine.”

For now, Vigna has yet to see any software attempting this ruse, but his suspicion is that it’s only a matter of time, as malware fights to survive against rapid detection and obsolescence.